This article presents actionable risk management recommendations for organizations facing the intersection of Internet of Things (IoT) devices and insider risks.
IoT devices that are wittingly or unwittingly brought into your organization’s physical spaces pose a threat because they could be engineered to exfiltrate sensitive data. For example, last month we heard that hackers had infiltrated an unnamed casino through its Internet-connected thermometer in an aquarium in the lobby of the casino and exfiltrated the casino’s high roller database. Other trending types of IoT devices include smartwatches, fitness trackers, or seemingly benign objects that could be used to target your workforce to obtain sensitive information.
Another unique attack vector for consideration when managing IoT device and insider risk involves employees using corporate-owned, or personal, IoT devices that are carried between office spaces and their homes. These devices could be hacked by tech-savvy criminals or other adversaries and potentially turned into ‘listening posts’ when they are carried into your company’s physical spaces.
IoT devices are increasingly being adopted by organizations for business operations or being considered for the workforce use in office spaces. This expands the attack surface that IT teams must defend and creates unique insider risks that must be addressed. The expanding adoption of IoT devices is a problem because many IoT devices are not designed or maintained with security as a priority, which presents exploitation opportunities for insiders and cyber actors. Gartner cited that businesses were on track to employ 3.1 billion connected devices in 2017.
Organizations that strategically address the intersection of IoT device and insider risk will be better postured to prevent IoT devices from being exploited to penetrate their organization and steal data or proprietary information. The following risk management tips can help you address this enterprise risk:
- Educate and Train Your Workforce on the Risks of Using IoT Devices: A primary concern for any organization is to minimize the digital risk posed by either careless or intentional employees. Employee training should provide your workforce with tools, resources, and simple steps needed to stay safe when using IoT devices at home and at work.
- Conduct a Preliminary Risk Assessment Prior to Adopting IoT Devices to Support Business Operations: Before bringing IoT devices into your spaces, conduct a thorough risk assessment of each device that considers supply chain risk and post-adoption risks to your organization.
- Adopt Organizational IoT Device Management Policies: Identify who in your organization will be responsible for reviewing and making decisions about how IoT will support your business operations. Draft IoT device usage policies for your workforce and ensure acknowledgement of proper IoT device handling procedures.
- Provide Your Workforce a Channel to Report Suspicious Use of Company-owned IoT Devices: Ensure that employees understand that if they choose to remain anonymous in reporting a potential IoT and insider related incident, their discretion will be protected by the management team.
- Address IoT Device Risk in Your Organization’s Insider Incident Response Plan: Ensure that the latest response plan includes IoT devices. This is a key initial step toward posturing against IoT device threats. This includes ensuring that a carefully considered response plan is in place as well as drafting, reviewing, and testing security plans and procedures. Key areas should focus on IoT device acquisitions and guidelines for the workforce for bringing IoT devices into your organization’s spaces.
- Configure Wireless Intrusion Detection or Prevention Systems (WIDS or WIPS) to Detect IoT Devices: If configured properly, WIDS/WIPS can be used for discovery or prevention when new wireless devices try to connect to your organization’s network, including IoT devices.
- Train Your Network Security Team to Pay Close Attention When New IoT Devices Are Connected: Ensure that IT and security teams do not simply ‘ignore the noise’ when a new IoT device is connected to your network. Set up a process for investigating any suspicious or non-approved IoT devices and ensure that your workforce understands the consequences for connecting non-company approved IoT devices.
- Use Enclaves for Your Most Sensitive Data: Consider using standalone networks and systems, or “enclaves”, to safeguard your organization’s most critical secrets. Your team should conduct a thorough risk versus convenience assessment to determine whether this is the best option.
- Implement Dynamic Testing of IoT Device Applications: Ask the IoT device application developer to conduct testing and provide your organization the results. Give strong consideration for dynamic testing to expose manufacturing defects or hardware vulnerabilities that may not be discoverable otherwise.
- Implement Static Testing of IoT Device Applications: Work with your organization’s IoT device application developer to conduct static testing at a minimum.
Adopting these approaches to manage IoT device and insider risk are by no means the only steps to take, but they can help reduce your overall organization’s overall strategic business risk. For more insights and information on IoT device and insider threat risk scenarios and management approaches, reach out to Cognitio.